FLAC: Buffer overflow
Gentoo Linux Security Advisory
||GLSA 200711-15 / flac
||November 12, 2007
||November 12, 2007: 01
All supported architectures
Multiple integer overflow vulnerabilities were found in FLAC possibly
allowing for the execution of arbitrary code.
The Xiph.org Free Lossless Audio Codec (FLAC) library is the reference
implementation of the FLAC audio file format. It contains encoders and
decoders in library and executable form.
Sean de Regge reported multiple integer overflows when processing FLAC
media files that could lead to improper memory allocations resulting in
heap-based buffer overflows.
A remote attacker could entice a user to open a specially crafted FLAC
file or network stream with an application using FLAC. This might lead
to the execution of arbitrary code with privileges of the user playing
There is no known workaround at this time.
All FLAC users should upgrade to the latest version:
Code Listing 3.1: Resolution
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/flac-1.2.1-r1"
You should also run revdep-rebuild to rebuild any packages that depend
on older versions of FLAC:
Code Listing 3.2: Resolution
# revdep-rebuild --library=libFLAC.*